pkccd
commented
6 years ago @narendergakka Check the claim rules on the sso provider and ensure there are no typographical errors. We have a RegExReplace in our claim rule and there was a space in front of the ARN that was causing the same error.
We were banging our heads against the wall trying to figure it out as we were able to access via the console, but not through CLI access. I guess the console variant is a little more forgiving.
Using the command to login to the "aws-adfs login --adfs-host=domain.domain.com --no-ssl-verification" however after it successfully authenticates against the domain and displays the roles available, the Role selection throws the below error,
Does anyone know why this behaviour?
Selection: 0 Traceback (most recent call last): File "/usr/local/bin/aws-adfs", line 9, in
load_entry_point('aws-adfs==0.8.0', 'console_scripts', 'aws-adfs')()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in call
return self.main(args, kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
return callback(args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/aws_adfs/login.py", line 159, in login
DurationSeconds=3600,
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: Principal ARN is invalid